fix aws request/response payload tagging (#9887)

* check for empty env when setting cloud payload tagging

* parse cloud payload tags during config

* add branch  coverage for pathcursor

* apply pr suggestions

Author: ojproductions

dd-trace-core/src/main/java/datadog/trace/core/tagprocessor/PayloadTagsProcessor.java

@@ -1,19 +1,19 @@
 package datadog.trace.core.tagprocessor;
 
+import static datadog.trace.util.json.JsonPathParser.parseJsonPaths;
+
 import datadog.trace.api.Config;
 import datadog.trace.api.ConfigDefaults;
 import datadog.trace.api.TagMap;
 import datadog.trace.api.telemetry.LogCollector;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpanLink;
 import datadog.trace.core.DDSpanContext;
+import datadog.trace.core.util.JsonStreamParser;
 import datadog.trace.payloadtags.PayloadTagsData;
-import datadog.trace.payloadtags.json.JsonPath;
-import datadog.trace.payloadtags.json.JsonPathParser;
-import datadog.trace.payloadtags.json.JsonStreamParser;
-import datadog.trace.payloadtags.json.PathCursor;
+import datadog.trace.util.json.JsonPath;
+import datadog.trace.util.json.PathCursor;
 import java.io.InputStream;
 import java.util.ArrayList;
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -38,7 +38,7 @@ public static PayloadTagsProcessor create(Config config) {
           new RedactionRules.Builder()
               .addRedactionJsonPaths(ConfigDefaults.DEFAULT_CLOUD_COMMON_PAYLOAD_TAGGING)
               .addRedactionJsonPaths(ConfigDefaults.DEFAULT_CLOUD_REQUEST_PAYLOAD_TAGGING)
-              .addRedactionJsonPaths(config.getCloudRequestPayloadTagging())
+              .addParsedRedactionJsonPaths(config.getCloudRequestPayloadTagging())
               .build());
     }
     if (config.isCloudResponsePayloadTaggingEnabled()) {
@@ -47,7 +47,7 @@ public static PayloadTagsProcessor create(Config config) {
           new RedactionRules.Builder()
               .addRedactionJsonPaths(ConfigDefaults.DEFAULT_CLOUD_COMMON_PAYLOAD_TAGGING)
               .addRedactionJsonPaths(ConfigDefaults.DEFAULT_CLOUD_RESPONSE_PAYLOAD_TAGGING)
-              .addRedactionJsonPaths(config.getCloudResponsePayloadTagging())
+              .addParsedRedactionJsonPaths(config.getCloudResponsePayloadTagging())
               .build());
     }
     if (redactionRulesByTagPrefix.isEmpty()) {
@@ -145,20 +145,13 @@ public RedactionRules.Builder addRedactionJsonPaths(List<String> jsonPaths) {
         return this;
       }
 
-      private static List<JsonPath> parseJsonPaths(List<String> rules) {
-        if (rules.isEmpty() || rules.size() == 1 && rules.get(0).equalsIgnoreCase("all")) {
-          return Collections.emptyList();
-        }
-        List<JsonPath> result = new ArrayList<>(rules.size());
-        for (String rule : rules) {
-          try {
-            JsonPath jp = JsonPathParser.parse(rule);
-            result.add(jp);
-          } catch (Exception ex) {
-            log.warn("Skipping failed to parse redaction rule '{}'. {}", rule, ex.getMessage());
-          }
+      public RedactionRules.Builder addParsedRedactionJsonPaths(List<JsonPath> jsonPaths) {
+        if (null == jsonPaths) {
+          log.warn("Provided JsonPaths list is null, skipping.");
+          return this;
         }
-        return result;
+        this.redactionRules.addAll(jsonPaths);
+        return this;
       }
 
       RedactionRules build() {

dd-trace-core/src/main/java/datadog/trace/payloadtags/json/JsonStreamParser.java renamed to dd-trace-core/src/main/java/datadog/trace/core/util/JsonStreamParser.java

@@ -1,6 +1,7 @@
-package datadog.trace.payloadtags.json;
+package datadog.trace.core.util;
 
 import com.squareup.moshi.JsonReader;
+import datadog.trace.util.json.PathCursor;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;

dd-trace-core/src/test/groovy/datadog/trace/core/tagprocessor/PayloadTagsProcessorTest.groovy

@@ -3,7 +3,7 @@ package datadog.trace.core.tagprocessor
 import com.squareup.moshi.JsonWriter
 import datadog.trace.payloadtags.PayloadTagsData
 import datadog.trace.payloadtags.PayloadTagsData.PathAndValue
-import datadog.trace.payloadtags.json.PathCursor
+import datadog.trace.util.json.PathCursor
 import datadog.trace.test.util.DDSpecification
 import datadog.trace.api.Config
 import okio.Buffer

internal-api/src/main/java/datadog/trace/api/Config.java

@@ -673,6 +673,7 @@
 import static datadog.trace.util.CollectionUtils.tryMakeImmutableList;
 import static datadog.trace.util.CollectionUtils.tryMakeImmutableSet;
 import static datadog.trace.util.ConfigStrings.propertyNameToEnvironmentVariableName;
+import static datadog.trace.util.json.JsonPathParser.parseJsonPaths;
 
 import datadog.environment.JavaVirtualMachine;
 import datadog.environment.OperatingSystem;
@@ -704,6 +705,7 @@
 import datadog.trace.util.PidHelper;
 import datadog.trace.util.RandomUtils;
 import datadog.trace.util.Strings;
+import datadog.trace.util.json.JsonPath;
 import datadog.trace.util.throwable.FatalAgentMisconfigurationError;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import java.io.BufferedReader;
@@ -1283,8 +1285,8 @@ public static String getHostName() {
   private final String agentlessLogSubmissionProduct;
 
   private final Set<String> cloudPayloadTaggingServices;
-  @Nullable private final List<String> cloudRequestPayloadTagging;
-  @Nullable private final List<String> cloudResponsePayloadTagging;
+  @Nullable private final List<JsonPath> cloudRequestPayloadTagging;
+  @Nullable private final List<JsonPath> cloudResponsePayloadTagging;
   private final int cloudPayloadTaggingMaxDepth;
   private final int cloudPayloadTaggingMaxTags;
 
@@ -2861,10 +2863,39 @@ PROFILING_DATADOG_PROFILER_ENABLED, isDatadogProfilerSafeInCurrentEnvironment())
     this.cloudPayloadTaggingServices =
         configProvider.getSet(
             TRACE_CLOUD_PAYLOAD_TAGGING_SERVICES, DEFAULT_TRACE_CLOUD_PAYLOAD_TAGGING_SERVICES);
-    this.cloudRequestPayloadTagging =
+
+    List<String> cloudReqPayloadTaggingConf =
         configProvider.getList(TRACE_CLOUD_REQUEST_PAYLOAD_TAGGING, null);
-    this.cloudResponsePayloadTagging =
+    if (null == cloudReqPayloadTaggingConf) {
+      // if no configuration is provided, disable payload tagging
+      this.cloudRequestPayloadTagging = null;
+    } else if (cloudReqPayloadTaggingConf.size() == 1
+        && cloudReqPayloadTaggingConf.get(0).equalsIgnoreCase("all")) {
+      // if "all" is specified enable all JSON paths
+      this.cloudRequestPayloadTagging = Collections.emptyList();
+    } else {
+      // parse and validate JSON paths. if none are valid, disable payload tagging
+      List<JsonPath> validRequestJsonPaths = parseJsonPaths(cloudReqPayloadTaggingConf);
+      this.cloudRequestPayloadTagging =
+          validRequestJsonPaths.isEmpty() ? null : validRequestJsonPaths;
+    }
+
+    List<String> cloudRespPayloadTaggingConf =
         configProvider.getList(TRACE_CLOUD_RESPONSE_PAYLOAD_TAGGING, null);
+    if (null == cloudRespPayloadTaggingConf) {
+      // if no configuration is provided, disable payload tagging
+      this.cloudResponsePayloadTagging = null;
+    } else if (cloudRespPayloadTaggingConf.size() == 1
+        && cloudRespPayloadTaggingConf.get(0).equalsIgnoreCase("all")) {
+      // if "all" is specified enable all JSON paths
+      this.cloudResponsePayloadTagging = Collections.emptyList();
+    } else {
+      // parse and validate JSON paths. if none are valid, disable payload tagging
+      List<JsonPath> validResponseJsonPaths = parseJsonPaths(cloudRespPayloadTaggingConf);
+      this.cloudResponsePayloadTagging =
+          validResponseJsonPaths.isEmpty() ? null : validResponseJsonPaths;
+    }
+
     this.cloudPayloadTaggingMaxDepth =
         configProvider.getInteger(TRACE_CLOUD_PAYLOAD_TAGGING_MAX_DEPTH, 10);
     this.cloudPayloadTaggingMaxTags =
@@ -5315,7 +5346,7 @@ public boolean isCloudPayloadTaggingEnabled() {
     return isCloudRequestPayloadTaggingEnabled() || isCloudResponsePayloadTaggingEnabled();
   }
 
-  public List<String> getCloudRequestPayloadTagging() {
+  public List<JsonPath> getCloudRequestPayloadTagging() {
     return cloudRequestPayloadTagging == null
         ? Collections.emptyList()
         : cloudRequestPayloadTagging;
@@ -5325,7 +5356,7 @@ public boolean isCloudRequestPayloadTaggingEnabled() {
     return cloudRequestPayloadTagging != null;
   }
 
-  public List<String> getCloudResponsePayloadTagging() {
+  public List<JsonPath> getCloudResponsePayloadTagging() {
     return cloudResponsePayloadTagging == null
         ? Collections.emptyList()
         : cloudResponsePayloadTagging;

dd-trace-core/src/main/java/datadog/trace/payloadtags/json/JsonPath.java renamed to internal-api/src/main/java/datadog/trace/util/json/JsonPath.java

@@ -1,4 +1,4 @@
-package datadog.trace.payloadtags.json;
+package datadog.trace.util.json;
 
 import java.util.ArrayList;
 import java.util.Collection;

dd-trace-core/src/main/java/datadog/trace/payloadtags/json/JsonPathParser.java renamed to internal-api/src/main/java/datadog/trace/util/json/JsonPathParser.java

@@ -1,7 +1,13 @@
-package datadog.trace.payloadtags.json;
+package datadog.trace.util.json;
 
 import static java.lang.Character.isDigit;
 
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 public class JsonPathParser {
 
   public static final class ParseError extends Exception {
@@ -26,6 +32,24 @@ public ParseError(CharSequence path, int position, String error) {
   private static final char DOUBLE_QUOTE = '"';
   private static final char ESC = '\\';
 
+  private static final Logger log = LoggerFactory.getLogger(JsonPathParser.class);
+
+  public static List<JsonPath> parseJsonPaths(List<String> rules) {
+    if (null == rules || rules.isEmpty()) {
+      return Collections.emptyList();
+    }
+    List<JsonPath> result = new ArrayList<>(rules.size());
+    for (String rule : rules) {
+      try {
+        JsonPath jp = parse(rule);
+        result.add(jp);
+      } catch (Exception ex) {
+        log.warn("Failed to parse redaction rule '{}'. {}. Skipping rule.", rule, ex.getMessage());
+      }
+    }
+    return result;
+  }
+
   public static JsonPath parse(String path) throws ParseError {
     Cursor cur = new Cursor(path);
 

dd-trace-core/src/main/java/datadog/trace/payloadtags/json/PathCursor.java renamed to internal-api/src/main/java/datadog/trace/util/json/PathCursor.java

@@ -1,4 +1,4 @@
-package datadog.trace.payloadtags.json;
+package datadog.trace.util.json;
 
 import java.util.Arrays;